Information Security - Science topic

Thanks a lot Dalton Cézane Gomes Valadares

Yes, artificial intelligence (AI) can significantly improve cybersecurity in various ways:

Dear Professor,

The Cloud GRC and cloud forensics are both essential for ensuring the security of cloud environments. However, they serve different purposes and are not mutually exclusive.

A cloud GRC framework is a set of policies, procedures, and controls that organizations use to manage their cloud security risks. It helps organizations to identify, assess, and mitigate risks associated with cloud computing. A cloud GRC framework can help organizations to:

A cloud forensics strategy is a plan for collecting, preserving, and analyzing digital evidence in cloud environments. It helps organizations to investigate security incidents and to prosecute attackers. A cloud forensics strategy can help organizations to:

Both cloud GRC and cloud forensics are essential for ensuring the security of cloud environments. However, cloud GRC is more focused on preventing security incidents, while cloud forensics is more focused on responding to and investigating security incidents.

The specific needs of an organization will determine which is more needed. For example, an organization that is highly regulated or that stores sensitive data may need a more robust cloud GRC framework. An organization that has experienced a security incident may need to develop a more comprehensive cloud forensics strategy.

Ultimately, both cloud GRC and cloud forensics are essential for ensuring the security of cloud environments. By implementing both, organizations can protect themselves from a variety of security risks.

You have a general topic, now think about the skills you want to use. What skills and knowledge do you want to sharpen for your next job? What have you mastered? Do you like playing with data or writing and explaining models? Are your interests interdisciplinary?

At the end of your thesis, for one hot minute, you will be the world's expert in answering one question. What do you want that question to be?

Information security and system security are two closely related but distinct fields of study. Information security is concerned with protecting the confidentiality, integrity, and availability of information, while system security is concerned with protecting the confidentiality, integrity, and availability of systems.

Information security refers to the protection of information from unauthorized access, use, disclosure, disruption, modification, or destruction. It is a broad field that encompasses a wide range of security measures, including:

System security refers to the protection of systems from unauthorized access, use, disclosure, disruption, modification, or destruction. It is a broad field that encompasses a wide range of security measures, including:

Examples of information security include:

Examples of system security include:

To become an Information Security Journalist, you will need to have a good understanding of the different aspects of the field, including technical, legal, and policy issues. You should also have strong writing and research skills. Additionally, it is important to have the ability to explain complex technical concepts to a wide variety of readers. Depending on the outlet you write for, you may also need to have a background in computer science, network security, or other related areas. Finally, you should be comfortable with the ever-changing landscape of information security and be able to quickly adapt to industry developments.

I don't use whatsapp and I don't care to use it.

I have a research on cyber security. Where i worked with patterns of cyber attacks actually and one of the hypothesis of the research is: Cyber-attack gives the same pattern in all the different, different IP addresses. You can check the research from my profile to get some big ideas for you.

In today's globalized and digitally connected world, cyber security has become an essential aspect of our lives. With the increasing reliance on technology, the potential for cyber attacks and data breaches has also increased, making it necessary for individuals, organizations, and governments to take steps to protect their systems and data. However, even with the best security measures in place, the human factor remains a critical vulnerability in cyber security.

One of the primary challenges with the human factor is that humans are prone to making mistakes, being complacent, and being unaware of the risks they face. Cyber criminals often exploit these weaknesses to gain unauthorized access to systems and data. For example, they may use social engineering tactics to trick users into divulging sensitive information or to install malware on their devices. In some cases, insiders may intentionally or unintentionally compromise security by, for example, sharing passwords, misusing access privileges, or failing to follow security protocols.

Another challenge is the growing complexity of technology and the lack of cybersecurity awareness among users. As technology advances and new devices, applications, and services emerge, the attack surface increases, and new vulnerabilities are exposed. Many users lack the technical expertise and knowledge necessary to protect themselves effectively, making them easy targets for cyber criminals.

To address the missing link between cyber security provision and the human factor, several steps can be taken. One approach is to improve cybersecurity awareness and education for all users. This can include providing training and resources to help individuals recognize potential threats and understand how to protect themselves and their data. Cybersecurity awareness can also be integrated into the culture of an organization, making security a shared responsibility among all employees.

The Influence of Internal Audit on Information Security Effectiveness: Perceptions of Internal Auditors ABSTRACT This paper presents the results of a survey of internal auditors’ perceptions about the nature of the relationship between the information security and internal audit functions in their organization and the effect of that relationship on their organization’s information security efforts. We find that internal auditors perceive that increasing the frequency with which they review some information security activities improves the quality of the relationship between the two functions. However, the quality of their relationship with the information security function does not affect either the number of security incidents or the number of audit findings related to information security issues. We also find that internal auditors report that the frequency of audit reviews of information security affects the number of audit findings related to information security, but does not affect the number of security incidents. We discuss the implications of our findings for both research and practice. Keywords: Internal audit, information systems security, information security governance, perceptions, survey

www.Information-Security-Effectiveness.pdf (jebcl.com)

_____

_____

_____

_____

i found many useful insights and will be waiting for more . Thank you

Len Leonid Mizrah that's a wonderful response and I second you. Atiff Abdalla Mahmoud the issue of academic dishonesty in decentralised learning is an emerging and growing trend. The consequences associated with this trend are also relatively new. This sparks a revision of preventive measures which are currently being used to match the trend. without new inventive and resilient techniques, the issues will only grow to unacceptable proportions of which if this happens the value of education will completely be eroded. My take is that the current measures are not anywhere near enough.

Dear thank you for your attention.

Very interesting question! I completely agree and support the opinion of dear colleagues Ljubomir Jacić, Doherty Odueko Funmilayo. Thank you!

I think the following papers can help you:

Yes, due to the high dynamics of development of cyber crime, cyber threats, cyber risk, information security on the Internet, cyber crime risk management, information management transferred in cyberspace, hacking techniques in online and mobile banking etc. it happens that some synonymous terms are used interchangeably. This can cause interpertional dissonance. In this connection, an important issue is the permanent updating of the language of the problem in the field of cyber crime and cyber security and the semantic classification of individual concepts and relationships between them.

Regards,

Dariusz Prokopowicz

Before we jump into our main topic of interest – cyber security vs. network security – let’s try to understand what information security is first.

By now it’s not totally wrong to say that Internet has revolutionized everything by changing how we do things. Social media has become the internet sensation within a few years and e-commerce giants like Amazon have made purchasing online a breeze, and Google has made everything easily accessible at our fingertips.

Businesses are more digitally advanced than ever, and as technology advances, businesses’ security infrastructure must be tightened as well. Internet has evolved and so does vulnerabilities with more people taking advantage of these interconnected systems and exploit weaknesses. This pertains to information security.

Information security refers to the processes and techniques designed to protect any kind of sensitive data and information whether in print or electronic form from unauthorized access. Information is a valuable asset to every individual and businesses, which makes even more important to protect them from theft or damage.

Cyber security is a subset of information security which deals with protecting internet-connected systems including hardware, software, programs, and data from potential cyberattacks. It protects the integrity of networks from unauthorized electronic access. Network security is the subset of cyber security designed to protect the integrity of any network and data that is being sent through devices in that network.

What is Cyber Security?

Cyber security is a common term concerned with all aspects of cyber space. It is a subset of information security that deals with protecting the integrity of networks, devices, and programs from attack, damage, or unauthorized outside access. It refers to a set of techniques, technologies, and processes designed to protect systems and networks from potential cyber attacks. It protects the integrity of networks from unauthorized electronic access by implementing various security measures and controls in place. The cyber security professionals monitor all incoming and outgoing traffic to reduce the risk of cyber attacks all the while protecting the organization from unauthorized exploitation of systems.

Read more: Difference between Cyber Security and Network Security | Difference Between http://www.differencebetween.net/technology/difference-between-cyber-security-and-network-security/#ixzz6ASN30luG

Agree with Ralf's views on this. Universities can look at industry linked programs in Risk and Compliance space and privacy can be covered under that.

Dear Mr. Giulio di Lernia

Thank you very much for a comprehensive and helpful answer! I myself am an Information Security Manager, and also an Operational Risk Manager in my institution and I am pretty much familiar with your experiences. So I think, definitely, a lawyer and an infosec manager should make a DPO team. Lawyers know the legislation and infosec managers know standards and data protection side of the story. It's like two sides of the same coin, both necessary for a good privacy management.

Dear Mr. Thank you very much for good wishes! All the best to you too in the coming year!

Best Regards,

Rajko Sekulović

Thank Dr David L Morgan for your reply.

Here is my justification.

However, I have known better technique to identify (but not sure if it is the best technique).

But, as mentioned before, not sure if this the best way.

Furthermore, I read different research papers regarding "Identifying Careless Responses within Likert scale or questionnaire", they discussed various methods to handle these kind of responses, but they are not clear to me.

Start by reading survey

Bio-hashing and cancellable biometric approach can help in some extend

Interesting.

Cloud & IoT: security?

Let us review quickly what's Cloud, what's IoT. Then we'll see how they combine and how to implement security.

Cloud Computing enables the gathering of data from multiple sources in one place, through networks, and the processing of this data (such as big data analysis) as a Compute element, followed by decision and feeding back this decision to the leaves of the tree (Edge) again over network.

We see here the emergence of three key aspects: Data, Network, Compute.

2.IoT

In fact we should be more specific and focus on the Edge, where the success of IoT is defined (or missed).

The Edge is the contact, the interface between real world (analogue, physical, biological, human, behavioral, etc) and digital representation (mathematical, graph-theoretical, computer systems, algorithms, automation strategy, detection/decision).

The interface from real to digital is typically in sensors, and the interface from digital to real is typically in actuators.

IoT are systems leveraging on sensors and/or actuators, with use of Network, Compute (Data is in sensors/actuators subsystems already).

3. Combination of Cloud and IoT: security

Security is a method, a mindset, an operation strategy well implemented.

It considers Data, Network, Compute, and all the software and hardware elements along the way in the implementation.

Security has a structural element:

-sound design

-sound operation.

Security has a dynamic (see game theory for detail) element:

-Risk analysis and Threat Scenarios

-Adversary model (who, what organization type is guessed behind the envisaged threat)

-Prevention schemes

-Response schemes and levels (like in military defense plans/actions).

I would therefore perform first spot analysis :

-Edge security

That's an obvious entry door for an adversary

-Network security

End to end: this is the stone or wooden bridge carrying the data, let nobody blow it, or find alternative routes

-Compute

Ensure secure computing by distributing tasks, so that restart points are found in case of unavailability of certain nodes.

Edge Computing is a strong survivable approach (see ETSI ISG MEC for advanced architectural standards).

It is very useful to look at past problems and learn from them.

a) Telecom: AT&T major early network collapse, US wide. This top class operator analysed and learnt since

b) Energy: many example of blackouts, e.g. Italy black-out linked to issue in Switzerland through connection with France

c) Railways and airlines :

Railways have a long history (200 years almost) and have well established risk methodology (e. g. Classify accidents by number of people impacted and react proportionally).

Here I would look at reliability and security together. After all reliability problem is the worst security issue, with the ultimate and worst Adversary playing against you.

I hope this helps bring in a methodological approach suitable for your problem.

Depending on what you want to do / your security profession aspiration or your IT major / specialization during university days. Some certifications focus more on security control / audit e.g. CISA, CISM & CRISC, some more on cloud security e.g. CCSK & CCSP, some more on hacking & forensic e.g. CEH & CHFI, some on software development security like CSSLP from ISC2. There are also some related to product vendors e.g. security certifications from Cisco, Checkpoint, Fortinet etc. For general ones, you might consider CISSP, SSCP or CompTIA Security+. For popular security certifications in 2019, you can explore following RG links. Wishing you all the best.

https://www.businessnewsdaily.com/10708-information-security-certifications.html

https://www.cio.com/article/3310836/top-it-security-certifications.html

https://www.computerworlduk.com/galleries/security/top-it-security-certifications-3682183/

https://cybersecurityventures.com/10-hot-cybersecurity-certifications-for-it-professionals-to-pursue-in-2019/

The recent advances & metrics for performance assessment of Round Robin and Proportional Fair Scheduling on 5G Millimeter Wave for Node Density are The next fifth generation (5G) of wireless communication networks comes with a set of new features to satisfy the demand of data-intensive applications: millimeter-wave frequencies, massive antenna arrays, beamforming, dense cells, and so forth. In this paper, we investigate the use of beamforming techniques through various architectures and evaluate the performance of 5G wireless access networks, using a capacity-based network deployment tool. This tool is proposed and applied to a realistic area in Ghent, Belgium, to simulate realistic 5G networks that respond to the instantaneous bit rate required by the active users. The results show that, with beamforming, 5G networks require almost 15% more base stations and 4 times less power to provide more capacity to the users and the same coverage performances, in comparison with the 4G reference network. Moreover, they are 3 times more energy efficient than the 4G network and the hybrid beamforming architecture appears to be a suitable architecture for beamforming to be considered when designing a 5G cellular network. Round Robin ( RR ) and PF scheduling algorithms have been evaluated for real video traffic using EXata network emulator considering throughput and PDR as performance metrics. Throughput performance and packet delivery ratio for RR & PF scheduling algorithms are similar for lower codec rates while RR performs better compared to PF for higher codec rates. Hence RR scheduling algorithm performs better than PF for video streaming applications.

We should focus on hardware, and software to manage this situation. Also, human behavior is very important, too. I need more time and knowledge to do my research as an expert towards this challenge. The starting point for this issue is education. It will help us to do new research. Since, the security is very low now.

Dear Dragan Pleskonjic,

Currently, research centers are being conducted in some research centers to answer the above question. The research concerns the involvement of new information and IT technologies such as: Big Data database technologies, cloud computing, machine learning, Internet of Things, artificial intelligence for prediction research processes, forecasting future events. Positive effects of this type of research are already determined. However, the need to continue this research in order to fully confirm the obtained results.

Best wishes

Hi Eleanor! I worked on this arranging this podcast featuring Intel IT Information Security director Xochitl Monteon (https://connectedsocialmedia.com/16473/inside-it-strengthening-intels-security-culture/), who talks about the multiple ways Intel tries to strengthen security culture to resist things like phishing, to develop more security applications (much cheaper in the long run), and to function as a kind of human sensor as part of a greater defense in depth strategy. Techniques include:

I also suggest you look at some of the software for phishing education/simulation that is out there.

Interesting

This is a practise in general. Every information element, system, network resource has to be classified as an asset with key tags like classification (confidential, proprietary etc), value (cost to setup, cost of rebuild if compromised etc) etc. Find the vulnerabilities, identify the threats of exploiting these vulnerabilities, for every possible threat perform a risk analysis. This gives a level of security. Based on how the risks are handled (accept, mitigate, transfer), security posture of it can be evaluated. Again as pointed by Vyacheslav, security level is always relative and your starting point could be any compliance standards as baseline.

Its possible to happen

Thank you all for taking part in this discussion and sharing your thoughts. Discussion is open and I hope there will be even more participants after summer.

There is a conference paper " A recent review on lightweight cryptography in IoT" , available on

The Session was well received by participants as reflected in an encouraging feedback.

I concluded my session with my perspective that " ANALYTICS IN DIGITAL AGE is what ENGINEERING WAS TO INDUSTRIAL AGE" after citing profound influence of Analytics through multiple facets [referred in earlier visual]

See list of papers related to cloudsim

Also a lot of cloud sim material is given on following link

@albert, yes this is possible however stream ciphers are statefull and if you look for a stateless block cipher then stream ciphering is not possible.

Thank you sir for lightning insight in MPC

Passwords are about the only form of authentication human beings can use, but the entropy of passwords remembered by humans is very low. Hence, dictionary attacks against passwords are very effective. Several different PAKE protocols can make network protocols safe against both passive and active attackers, but none of them can protect against server compromise - a dictionary attack can always be mounted against the authentication data the server holds.

Secret sharing is used in building secure authentication protocols with weak passwords where the leakage of a single server's data does not allow for dictionary attacks on the password. A simple form of this is used in the real world by Verisign: Server-Assisted Generation of a Strong Secret from a Password. More recent research in to the problem: Provably Secure Threshold Password-Authenticated Key Exchange.

In human relationships, I don't think a "zero trust" model is effective. Without trust at some level, humans have no way of communicating with each other. I believe people need to foster a hermeneutic of charity with regard to others rather than a hermeneutic of suspicion, and a zero trust model is a hermeneutic of suspicion run amok.

More what I envisioned is that one goes through a process in data analysis of increasing desperation.

Try 1) I try combining X1 through X9 by simple addition. I tried var1=X1+X2+x3, and var1=X1+x7+X8+X9. I also made up a bunch of other vars that were similar. That did not give the answer that I wanted.

Try 2) I try multiplication: X1*X4, X2*X3*X7, and X4*X5*X6*X8*X9*X10

Try 3) I try ratios

Try 4) I try random transformations (inverse, exponent, roots, log)

Try 5) I am now desperate, so I start with creative functions like var1=log(X1)^cos(X2) and var2=(X1+X2)/(X3*X4)^(1/X5). That last one was close to significant, so maybe I could just tweek it a little. I'll develop the theory to rationalize the significant breakthrough later.

A never ending fishing expidition trying to find latent variables that provide significant models. This is in contrast to something like factor analysis or using existing theory to define latent variables. As Bob suggested, the significant results should be tested with another data set, and should be a suggestion for every research project with novel results.

Many of the chat applications are using this protocol i guess

Please check out our latest article https://www.researchgate.net/publication/316171551_Prevention_is_better_than_cure_Designing_information_security_awareness_programs_to_overcome_users%27_non-compliance_with_information_security_policies_in_banks

Hi Molrani

While there is a relationship between IT Governance and Information Security, it is not a simple relationship.

I have printed a list of references on Governance+IT Governance, as well as a list of References on Information Security from my personal collection to give you an idea of how they fit together. Most of these references can be freely downloaded from Google Scholar, if you paste the title into the Google Scholar search bar.

That should give you an idea of the challenges you face, and will certainly get you thinking about the issue with some understanding of the problems faced.

I hope it helps.

Regards

Bob

enc

Thank you all for the replies. I will check the resources you have mentioned. Abeer, I will upload links and files I find about this. Hope you can use them.

kindly check this book to understand more about HIPPA , how to secure HL7 messages  and other Healthcare IT skills needed .

also your RM team should first classify the Medical records then think how to protect according to HIPPA requirements , same time they should do Risk Assessment to find out the risks  you could face and what is the impacts and likelihood reealted to each risk and what is the best risk response for that.

for instance if your LAB IS can be hacked , medical records will be exposed , or when hacker hack doctor PC he can get computerized physician order entry (CPOE) medical records.

You could search for Address Space Layout Randomisation - it does not prevent copying of RAM, but is useful to prevent e.g. buffer overflow attacks.

I too, like Vijay Ananda and Majid Bakhtiari believed that our smss travel plain without encryption but the down votes force me to think that may be it is not the case!

WhatsApp support end to end encryption, I know (though dont know what algo is used!). Gmail uses PGP (IDEA) but, sms?????Still doubtful!

This happens by two things: First, your air-gapped system is already infected, and second one is an infected cellphone is nearby. For the before system, this would be incredibly difficult on any of the air-gapped systems I've used, as any software being brought into the building must be throughly scanned and checked before getting near the system. As for the latter, every place with air-gapped systems I've worked at has mandated that all cell phones and electronic devices must be kept outside the RF shielded office..

You may check this tool....

Did you mean 2D DWT along with PCA is more efficient??

Interesting links, Jeff.

Game theory in connection with secure multiparty computations is also an active research field for privacy-enhancing technologies, which also utilise cryptography.

For example: http://link.springer.com/chapter/10.1007%2F978-3-642-22348-8_15

Symmetric key decryption needs the key, once you have the key you can decrypt.

Now, you are asking about local decryption (partial one) for this you need to derive "chunk" key and open only that key. You can start from a master key and derive a binary tree of keys E(k,0) and E(k,1) for the left and right side keys and keep on doing it to build a tree of keys, at the leaves are the chunk keys with which you encrypt/ decrypt the data. You can always derive the chunk key specifically and use it to decrypt the chunk (and nothing else) other keys are pseudorandomly independent.

I am not sure if you are after something like this, but this is one possible solution to partial decryption with partial key only. Note that chunk key derivation is logarithmic in the number of chunks. I assume that you can delegate the chunk keys or even complete subtree key (for a sequence of consecutive chunks).

Human factor is considered as the weakest link in defending systems' security and privacy. The bulk of known attacks lay in the area of social engineering attacks. Phishing attacks are wide spread in on- and off-line communications (for instance, emailing and postal services).

These bold/italic marked terms above can be used to see their exact meaning in the Wikipedia, and applied with any search engine to collect enormous amount of information relating to the actual analyses of vulnerabilities, threats and their impact on privacy and security. 

The problem with takedowns of botnet command and control servers is partially a legal issue, since some internet service providers in some countries do not respond to such requests. Some of these may even profit from being a safe haven for cyber crime. It is also very much harder to stop the growth of a botnet than to grow one, since it is opportunistic and may only need one exploitable vulnerability to successfully infect new hosts, whereas to protect against such attacks all vulnerabilities must be covered. I do not think the sofistication of the attack tools is to blame, it is more the opportunity from huge amounts of poorly implemented or nonexisting cyber security.

Before Snowden it was obvious there is surveillance going on. But Snowden put it in front of everyone to see the huge scale of the operation and the tools. As a result, industry naturally wants to protect, and governments in reaction want to restrict protection. This led to some of the current issues (Apple vs. the FBI, etc.), the re-visit of safe harbor status to the US regarding EU data, and so on. The attempt of legistlation restricting industry is expected to grow.

If you are reading in this area you have probably already found him, but I know from his work with ACT-R that Niels Taatgen has worked with N-back, cognitive modeling, and has a long interest in transfer.

It's very interesting. Why not educate young people on the proper use of social networks?

In addition to the above great feedbacks, you should also take in consideration all dependencies(1st, 2nd, etc... Order Levels) that each asset leverages and how many assets may share common dependencies. 

Computer science is named so because it seeks to apply scientific method to information/computational processes. The subject was a bit unfortunate in that the computer (as a tool) got in the way. As Peter Denning formulated things:

That computer science is not considered a "natural" science is a different question, which I note has been discussed at considerable length here on RG already:  http://www.researchgate.net/post/Is_the_discipline_Computer_Science_a_Natural_Science2

In short Denning sais; computation is the principle in studying information processes. Seeking translation into its counterpart in the natural sciences, biology presents itself, where DNA represents the supreme example of an information propagation process.

What about information security being a science? In my view information security is about ensuring that information processes retain their integrity and that the processed information is not contaminated/compromised - in short that it is protected. There are many ways in which this can be mapped to bioscience. Immunology presented itself as the first candidate to me - considering how malware seeks to infect systems, or how cyber criminal supply chains interact with corporate supply chains.

I do not think that information security is rapidly growing into a scientific discipline, but the case that it is growing into one cannot be denied. Consider the work at Mitre to get an indication.

Hi Oussama,

In terms of mass surveillance, use of metadata and the security versus privacy implications, have a look at the following papers. All are very recent and offer some insight into the dangers and benefits of mass surveillance and big data. 

Lyon, D. (2014). Surveillance, snowden, and big data: capacities, consequences, critique. Big Data & Society, 1(2), 2053951714541861.

Schneier, B. (2014). Metadata= Surveillance. IEEE Security & Privacy, (2), 84-84.

Miller, K. (2014). Total Surveillance, Big Data, and Predictive Crime Technology: Privacy's Perfect Storm. J. Tech. L. & Pol'y, 19, 105.

You can certainly fake a mac-address, then associate to any access point regardless of its security, but the security may authenticate the mac and then reject you. Some WPA networks perform mac filtering, or RADIUS MAC based authentication.

wpa2-personal networks usually authenticate a PSK, not the mac address, so you can fake it yest.

wpa2-enterprise networks usually authenticate a certificate or other credentials, so you can fake it yes. The network may then reject the mac address if its not in DHCP etc.

Remote attestation based on trusted computing supports detecting changes of the remote software.

Thanks so much Elisa and Nils.

Hope to be able to use your testsuite as soon as possible.

PILLAR 2 involves both quantitative and qualitative. Compliance with Pillar 2 follows 4 guiding principles: (i) bank's own assessment of adequacy of capital (quantitative); (ii) supervisory process (qualitative & quantitative); (iii) capital above regulatory minimum (qualitative); and (iv) supervisory intervention (quantitative).

QUALITATIVE DATA: The supervisory process may be quantified. Compliance to certain requirements, such as planing, strategies, etc. may be quantified by coding the response as Yes = 1 = complied and No = 0 = not complied. List items of supervisory review, i.e. Xi: (x1, x2, ..., xn) and score each for compliance and non-compliance. Add all yes = 1 compliance as the number of success and the no = failure. The probability of success is given by:

(1)   p = (s + 1) / ( n + 2)

The probability of failure is q = 1 - p. Assume that in the check list there are 30 items for supervisory compliance the score returned yes = 25 and no = 5. The calculation follows: p = (25 + 1) / (30 + 2) = 26/32 = 0.81 and q = 0.19. Is 25 a significant compliance? This question may be answered by:

(2)   P(X) = [n! / (n - X)!X!] AB

(2.1)   A = pX

(2.2)   B = qn - X

The test statistic of binomial distribution may be used for significance testing:

(3)   Z = [(X/n) - p] / sqrt(pq / n)

The hypothesis statements are: H₀: Z(obs) < 1.65 and H_A: Z(obs) < 1.65 for 95% confidence interval. See attached Z-Table.

Thanks Mr. Santarcangelo for your precious advice. Now in days, i am working on it.

Where is Annex A?